From nobody@FreeBSD.org  Fri Oct  1 19:35:44 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EDB4116A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  1 Oct 2004 19:35:44 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E424443D3F
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  1 Oct 2004 19:35:44 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i91JZiaJ046872
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 1 Oct 2004 19:35:44 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i91JZiMF046866;
	Fri, 1 Oct 2004 19:35:44 GMT
	(envelope-from nobody)
Message-Id: <200410011935.i91JZiMF046866@www.freebsd.org>
Date: Fri, 1 Oct 2004 19:35:44 GMT
From: Bjrn Knig <bkoenig@cs.tu-berlin.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: mac_seeotheruids restricts root
X-Send-Pr-Version: www-2.3

>Number:         72238
>Category:       kern
>Synopsis:       [mac] [patch] mac_seeotheruids restricts root
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 01 19:40:12 GMT 2004
>Closed-Date:    Tue Oct 25 03:14:39 GMT 2005
>Last-Modified:  Tue Oct 25 03:14:39 GMT 2005
>Originator:     Bjrn Knig
>Release:        FreeBSD 5.2.1
>Organization:
>Environment:
affects all FreeBSD 5 versions up to CURRENT
>Description:
mac_seeotheruids hides processes and connections from root. This is unsuitable because its hard for root to maintain a multi-user server. Another problem for example is that an ident daemon can't work properly.

>How-To-Repeat:
Load the kernel module
"kldload mac_seeotheruids"

Execute as root
"sockstat"
"ps aux"

It shows only root's connections and processes.

>Fix:
Apply this patch

--- src/sys/security/mac_seeotheruids/mac_seeotheruids.c.orig   Thu Mar 27 20:26:39 2003
+++ src/sys/security/mac_seeotheruids/mac_seeotheruids.c        Fri Oct  1 21:32:13 2004
@@ -104,6 +104,9 @@
        if (!mac_seeotheruids_enabled)
                return (0);
 
+   if (u1->cr_ruid == 0)
+      return (0);
+   
        if (primarygroup_enabled) {
                if (u1->cr_rgid == u2->cr_rgid)
                        return (0);

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Oct 8 06:15:22 GMT 2004 
Responsible-Changed-Why:  
Over to mac expert. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72238 
State-Changed-From-To: open->patched 
State-Changed-By: rwatson 
State-Changed-When: Mon Jan 3 12:02:50 GMT 2005 
State-Changed-Why:  
Sorry for the delay in responding to this bug report! 

Committed as mac_seeotheruids.c:1.7.  Will MFC to RELENG_5 after 2 weeks; 
change will appear as of FreeBSD 5.4-RELEASE. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=72238 

From: Matteo Riondato <rionda@gufi.org>
To: bug-followup@freebsd.org
Cc: rwatson@freebsd.org
Subject: Re: kern/72238 [patch] mac_seeotheruids restricts root
Date: Thu, 7 Apr 2005 22:13:12 +0200

 --MAH+hnPXVZWQ5cD/
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Patch was committed and MFCed on Sat Jan 22 19:18:15 2005 UTC, so this
 PR can be closed.
 Best Regards
 --=20
 Rionda aka Matteo Riondato
 Disinformato per default
 G.U.F.I. Staff Member (http://www.gufi.org)
 FreeSBIE Developer (http://www.freesbie.org)
 
 --MAH+hnPXVZWQ5cD/
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.0 (FreeBSD)
 
 iD8DBQFCVZRY2Mp4pR7Fa+wRAnhPAKCoRXtHV6RBFwQ2UpoV/aFedMWe2ACaA6FW
 2d4V6haGyhWOi5lazqep6GM=
 =YIAz
 -----END PGP SIGNATURE-----
 
 --MAH+hnPXVZWQ5cD/--
State-Changed-From-To: patched->closed 
State-Changed-By: linimon 
State-Changed-When: Tue Oct 25 03:14:21 GMT 2005 
State-Changed-Why:  
Patch committed and MFCed nearly a year ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72238 
>Unformatted:
